The security of car parking apps put under the microscope

Dec 14, 2015 14:52 GMT  ·  By

Research has uncovered some security flaws in Android applications deployed by Britain's top car parking services, NCC Group, a security consultant claims.

In recent years, to cut down operational costs and to help users that are always in a hurry, car parking lots have started providing mobile apps that allow people to easily and quickly pay their parking fees.

These apps are quite common in the UK, but also in countries like the US, Australia, or Canada.

NCC Group researchers tested six Android car parking apps from different yet unnamed UK vendors. According to the researchers, these apps are guilty of various security flaws ranging from the usage of unsafe custom encryption to incorrect sensitive data storage.

Researchers are using half-baked encryption for moving credit card data

As the researchers explain, all apps used encryption to protect the users' data, which is surprising if we take into account a recent study that showed the opposite.

But as the researchers looked closer at the encryption methodology, this false sense of security was quickly shattered, since it was also discovered that these apps did not validate the certificate they got from the server, used to establish the encrypted communications channel. This leaves users exposed to MitM (Man-in-the-Middle) attacks via proxy servers. The only condition would be that the attacker was on the same network as the app's user.

To make things ever worse, one of the six apps was using a custom encryption scheme that included its encryption key right inside the app's APK file, making it easy for any attacker to acquire it by decompiling the app, and then reverse-engineer the encryption algorithm.

Passwords stored on the device, sometimes in cleartext

Another security hole that the NCC Group researchers discovered regards how passwords are stored on the device.

Trying to make it easier to automatically log into the app the next time users open it, some vendors made the mistake of saving the password on the device, but unfortunately, in an unencrypted form, in the app's private data folder where any attacker knows to look for.

On top of this, for one application, security researchers were also able to exploit a JavaScript-based flaw and gain access to the device's private data folders, allowing them to steal data from the phone.

Conclusions & recommendations

However, things aren't as bad as you'd expect. "Many of the application developers had clearly taken steps to secure their application against trivial attacks, and where data had been stored it had in some cases been stored safely," said NCC Group's Chris Spencer.

"Although all of the apps could be decompiled some of the developers had obfuscated their code to prevent others from reading it easily. This would frustrate potential attackers," he also added.

NCC Group recommends all app vendors, not only makers of car parking apps, that they use properly configured TLS connections to safeguard credit card data while in transit from the app to the server, and also use Certificate Pinning to avoid basic MitM attacks.

Additionally, for any data stored on the device, developers should look into using hashing algorithms to protect the data's integrity.